Merge #597

597: Add security headers r=carols10cents

These headers are all pretty straightforward except CSP. For CSP I
defined the sources based on what was loaded from visiting the main page
and all crates. Images should be safe, so I've allowed them from all
sources.

This should be checked on staging before deploying.

Fixes #586.

Author: bors-voyager[bot]

app/styles/app.scss

@@ -342,3 +342,11 @@ h1 {
         padding: 5px;
     }
 }
+
+.arrow-in-list svg {
+    background: #fff;
+}
+
+a.arrow svg {
+    background: #EEECDD;
+}

app/templates/components/category-list.hbs

@@ -3,7 +3,9 @@
         <li>
             {{#link-to 'category' category.slug class='name'}}
                 <span>{{ category.category }} ({{ format-num category.crates_cnt }})</span>
-                {{svg-jar "right-arrow"}}
+                <div class='arrow-in-list'>
+                    {{svg-jar "right-arrow"}}
+                </div>
             {{/link-to}}
         </li>
     {{/each}}

app/templates/components/crate-list.hbs

@@ -3,7 +3,9 @@
         <li>
             {{#link-to 'crate' crate.id class='name'}}
                 <span>{{ crate.name }} ({{ crate.max_version }})</span>
-                {{svg-jar "right-arrow"}}
+                <div class='arrow-in-list'>
+                    {{svg-jar "right-arrow"}}
+                </div>
             {{/link-to}}
         </li>
     {{/each}}

app/templates/components/keyword-list.hbs

@@ -3,7 +3,9 @@
         <li>
             {{#link-to 'keyword' keyword class='name'}}
                 <span>{{ keyword.id }} ({{ format-num keyword.crates_cnt }})</span>
-                {{svg-jar "right-arrow"}}
+                <div class='arrow-in-list'>
+                    {{svg-jar "right-arrow"}}
+                </div>
             {{/link-to}}
         </li>
     {{/each}}

app/templates/crate/version.hbs

@@ -40,9 +40,6 @@
     </div>
 </div>
 
-{{! This is used to set the url of to actually download a file }}
-<iframe id='download-frame' style='display:none'></iframe>
-
 {{#if currentVersion.yanked}}
     <div class='crate-info'>
         <div>

app/templates/crate/versions.hbs

@@ -22,7 +22,7 @@
                 {{/if}}
             </div>
             {{#link-to 'crate.version' version.num class='arrow'}}
-                {{svg-jar "right-arrow" style="background-color: #EEECDD"}}
+                {{svg-jar "right-arrow"}}
             {{/link-to}}
         </div>
     {{/each}}

public/assets/right-arrow.svg

@@ -1,3 +1,5 @@
+use conduit::{Request, Response};
+use conduit_middleware::Middleware;
 use curl;
 use curl::easy::{Easy, List};
 use oauth2::*;
@@ -6,7 +8,7 @@ use util::{CargoResult, internal, ChainError, human};
 use serde_json;
 use serde::Deserialize;
 use std::str;
-
+use std::error::Error;
 
 /// Does all the nonsense for sending a GET to Github. Doesn't handle parsing
 /// because custom error-code handling may be desirable. Use
@@ -88,3 +90,48 @@ pub fn token(token: String) -> Token {
         token_type: String::new(),
     }
 }
+
+#[derive(Clone, Copy, Debug)]
+pub struct SecurityHeadersMiddleware;
+
+impl Middleware for SecurityHeadersMiddleware {
+    fn after(
+        &self,
+        _: &mut Request,
+        mut res: Result<Response, Box<Error + Send>>,
+    ) -> Result<Response, Box<Error + Send>> {
+        if let Ok(ref mut response) = res {
+            // It would be better if we didn't have to have 'unsafe-eval' in the `script-src`
+            // policy, but google charts (used for the download graph on crate pages) uses `eval`
+            // to load scripts. Remove 'unsafe-eval' if google fixes the issue:
+            // https://github.com/google/google-visualization-issues/issues/1356
+            // or if we switch to a different graph generation library.
+            response.headers.insert(
+                "Content-Security-Policy".into(),
+                vec![
+                    "default-src 'self'; \
+                      connect-src 'self' https://docs.rs; \
+                      script-src 'self' 'unsafe-eval' \
+                                 https://www.google-analytics.com https://www.google.com; \
+                      style-src 'self' https://www.google.com https://ajax.googleapis.com; \
+                      img-src *; \
+                      object-src 'none'"
+                        .into(),
+                ],
+            );
+            response.headers.insert(
+                "X-Content-Type-Options".into(),
+                vec!["nosniff".into()],
+            );
+            response.headers.insert(
+                "X-Frame-Options".into(),
+                vec!["SAMEORIGIN".into()],
+            );
+            response.headers.insert(
+                "X-XSS-Protection".into(),
+                vec!["1; mode=block".into()],
+            );
+        }
+        res
+    }
+}

src/http.rs

@@ -227,6 +227,9 @@ pub fn middleware(app: Arc<App>) -> MiddlewareBuilder {
         cookie::Key::from_master(app.session_key.as_bytes()),
         env == Env::Production,
     ));
+    if env == Env::Production {
+        m.add(http::SecurityHeadersMiddleware);
+    }
     m.add(app::AppMiddleware::new(app));
 
     // Run each request in a transaction and roll back the transaction if the request results